b'  SELECT APPLICATION CONTROLS\n REVIEW OF THE FEDERAL BUREAU OF\nPRISONS\xe2\x80\x99S SENTRY DATABASE SYSTEM\n\n\n         U.S. Department of Justice\n       Office of the Inspector General\n                Audit Division\n\n            Audit Report 03-25\n                July 2003\n\x0c                      SELECT APPLICATION CONTROLS REVIEW OF\n                         THE FEDERAL BUREAU OF PRISONS\xe2\x80\x99S\n                              SENTRY DATABASE SYSTEM\n\n                                          EXECUTIVE SUMMARY\n\n      SENTRY is the Federal Bureau of Prisons\xe2\x80\x99s (BOP) primary mission\nsupport database. The system collects, maintains, and tracks critical inmate\ninformation, including inmate location, medical history, behavior history, and\nrelease data. SENTRY processes over 1 million transactions each day and\ntracks more than 165,000 inmates. Roughly 85 percent of these inmates\nare housed within the BOP facilities, with the remaining inmates confined in\nother government facilities (state or local) or privately operated facilities\nthrough contracts with the BOP. As of March 2003, over 24,000 personal\ncomputers at approximately 200 facilities could access SENTRY.\n\n      The purpose of this audit was to assess the application controls for the\nBOP\xe2\x80\x99s SENTRY database to determine whether inmate data entered in\nSENTRY is valid, properly authorized, and completely and accurately\nprocessed.1 Our criteria for conducting the review was the Federal\nInformation System Controls Audit Manual (FISCAM).2 We reviewed the\naccuracy and timeliness of SENTRY\xe2\x80\x99s input, processing, and output controls\nand judgmentally selected 3 of the BOP\xe2\x80\x99s 29 Community Corrections Offices\n(CCO) to conduct onsite reviews of their operational workflow (Annapolis\nJunction, Maryland; Philadelphia, Pennsylvania; and Chicago, Illinois). These\nsites were selected because they process large volumes of inmate data into\nSENTRY.\n\n       Our application review of SENTRY identified weaknesses in 4 of the 27\nFISCAM control areas that we tested. We do not consider our findings in\nthese areas to be major weaknesses and assessed SENTRY overall at a low\nrisk to the protection of its data from unauthorized use, loss, or\n\n\n\n\n1\n    As part of our testing of the BOP\xe2\x80\x99s Annual Financial Statement for fiscal year 2002, we conducted a general\n    control review of SENTRY\xe2\x80\x99s operating environment. General controls are the structure, policies, and procedures\n    that apply to an entity\xe2\x80\x99s overall computer operations. If general controls are weak, they diminish the reliability\n    of controls associated with individual applications. Our general control review identified weaknesses in one of the\n    six general control areas that we tested (the system development/change control process).\n\n2\n    FISCAM was developed by the General Accounting Office (GAO) and describes the computer-related controls that\n    should be considered when assessing the integrity, confidentiality, and availability of computerized data.\n    According to FISCAM, both general and application controls must be effective to help ensure the reliability,\n    appropriate confidentiality, and availability of critical automated information. See Appendix III for a detailed\n    description of the FISCAM application control areas tested.\n\n\n                                                           i\n\x0cmodification.3 Our findings were in the following four areas:\n\n               \xe2\x80\xa2   Supervisory reviews (input process),\n\n               \xe2\x80\xa2   Secured/restricted terminals (audit logs),\n\n               \xe2\x80\xa2   Limited transactions access control, and\n\n               \xe2\x80\xa2   Computer matching of transaction data.\n\n      Specifically, we identified data input errors resulting in incorrect\ninmate offense/charge codes, incorrect inmate\xe2\x80\x99s commitment date,\nincorrect date of offense, and offense fines not entered into SENTRY. We\nalso found that the BOP did not adequately monitor audit log exception\nreports. Moreover, our review of SENTRY\xe2\x80\x99s access controls disclosed that\nthe combination of authorization profiles and terminal access authority did\nnot function as required because users with limited access profiles were\nable to process transactions above their level of access when logged onto\nterminals designated for users with higher authorization. We also tested\ncompleteness controls and found that the BOP\xe2\x80\x99s SENTRY General Use\nManual failed to include a required step while updating inmate information.\n\n      We concluded that these weaknesses occurred because BOP\nmanagement did not fully develop, document, or enforce the BOP policies in\naccordance with current Department of Justice (Department) policies and\nprocedures. If not corrected, these security vulnerabilities could impair the\nBOP\xe2\x80\x99s ability to fully ensure the integrity, confidentiality, and availability of\ndata contained in SENTRY.\n\n      This report contains recommendations for improving application\ncontrols for SENTRY in the Findings and Recommendations section. In\ngeneral, we recommend that BOP management ensure that:\n\n               \xe2\x80\xa2   The BOP\xe2\x80\x99s inmate data entry form is updated to reflect current\n                   BOP procedures and needs,\n\n               \xe2\x80\xa2   The BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide,\xe2\x80\x9d requires routine\n                   generation and review of exception reports,\n\n3\n    The National Institute of Standards and Technology (NIST) defines risk as the possibility of harm or loss to any\n    software, information, hardware, administrative, physical, communications, or personnel resource within an\n    automated information system or activity. Additionally, NIST categorizes the information into three basic\n    protection requirements of high, medium, and low in accordance to the system\xe2\x80\x99s sensitivity level. Specifically,\n    low risk would be detrimental if the information is compromised causing minor loss and needing only\n    administrative action.\n\n\n                                                           ii\n\x0c        \xe2\x80\xa2   Exception reports are provided timely to the Information\n            Security Officer,\n\n        \xe2\x80\xa2   SENTRY\xe2\x80\x99s workstation controls are properly configured to access\n            only authorized areas of the system, and\n\n        \xe2\x80\xa2   The BOP\xe2\x80\x99s SENTRY General Use Manual is updated to reflect\n            proper procedures for entering initial records into SENTRY.\n\n     The details of our work are contained in the Findings and\nRecommendations section of the report. Our objectives, scope, and\nmethodology appear in Appendix I.\n\n\n\n\n                                     iii\n\x0c                            TABLE OF CONTENTS\n\n                                                                                   Page\nBACKGROUND ....................................................................... 1\n       SENTRY Database System Environment .............................. 3\n\n\nFINDINGS AND RECOMMENDATIONS..................................... 5\n     I. Authorization Controls (Input) ........................................ 5\n          Supervisory Reviews (Input Process) .............................. 6\n          Recommendations ....................................................... 8\n          Secured/Restricted Terminals (Audit Logs) ...................... 8\n          Recommendations ....................................................... 9\n          Limited Transactions (Access Controls) ........................... 9\n          Recommendation ......................................................... 11\n\n    II. Completeness Controls (Processing) ................................. 11\n          Computer Matching of Transaction Data .......................... 11\n          Recommendation ......................................................... 12\n\n   III. Accuracy Controls (Output) ............................................. 12\n\n   IV. Controls Over Integrity of Processing\n       and Data Files ............................................................... 12\n\n\nCONCLUSION ........................................................................ 13\n\nOTHER REPORTABLE MATTER ................................................ 15\n\nAPPENDICES:\n   I. OBJECTIVES, SCOPE, AND METHODOLOGY.......................... 16\n\n  II. FEDERAL INFORMATION SYSTEM CONTROL AUDIT MANUAL\n      APPLICATION CONTROL AREAS.......................................... 17\n\x0c III. APPLICATION CONTROLS REVIEW GUIDELINES ................... 18\n\n IV. SENTRY\xe2\x80\x99S AUTHORIZED USERS LIST .................................. 36\n\n  V. ABBREVIATIONS.............................................................. 37\n\n VI. DESCRIPTION OF SENTRY DATABASE MODULES .................. 38\n\nVII. APPLICATION CONTROL CRITERIA...................................... 41\n\nVIII. THE BOP RESPONSE TO THE DRAFT REPORT ....................... 42\n\n IX. OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION,\n      ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO\n      CLOSE THE REPORT ......................................................... 45\n\x0c                      SELECT APPLICATION CONTROLS REVIEW OF\n                         THE FEDERAL BUREAU OF PRISONS\xe2\x80\x99S\n                              SENTRY DATABASE SYSTEM\n\n                                                   BACKGROUND\n\n      SENTRY, the Federal Bureau of Prisons\xe2\x80\x99s (BOP) primary mission\nsupport database, processes more than 1 million transactions each day and\nprovides data files to a number of external organizations, including the\nUnited States Pardon Attorney, United States Marshals Service (USMS),\nFederal Bureau of Investigation, and United States Parole Commission. The\nBOP deployed its SENTRY database in 1978. It currently assists in\nmonitoring and tracking approximately 165,000 federal inmates.\n\n      The system is designed to automate and assist in the monitoring of\ninmates consistent with implementation of the Violent Crime Control and\nLaw Enforcement Act of 1994 (VCCLEA),4 the Prisoner Litigation Reform Act\n(PLRA),5 and other laws, which may require special treatment of inmates\nwithin the BOP prison institutions. All inmate information, which is critical to\nthe safe and orderly operation of BOP facilities, is collected, maintained, and\nreported within SENTRY. This information includes inmate institution\nassignment, inmate population, and sentence data. A diagram detailing the\nvarious SENTRY modules and a short description of each module follow.\n\n\n\n\n4\n    The VCCLEA provided for new police offices, funding for prisons, and funding for prevention programs.\n5\n    In April 1996, the PLRA was enacted by Congress as part of the Balanced Budget Down Payment Act, which\n    limits the prospective relief that can be provided for prison conditions as well as terminates the existing orders\n    for prospective relief unless a court finds that prospective relief remains necessary to correct a current or\n    ongoing violation of a federal right.\n\n\n                                                           1\n\x0c                         SENTRY DATABASE MODULES AND DESCRIPTIONS6\n\n\n\n\n                                         State Billing \xe2\x80\x93   Tracks and reports amounts billable to individual states for\n                                         inmates serving state sentences in BOP facilities.\n\n\n\n\n                                         Financial Responsibility \xe2\x80\x93 Records, manages, and monitors court-ordered\n                                         financial obligations imposed on an inmate.\n\n\nInmate\nPopulation\nMonitoring \xe2\x80\x93                             Inmate Discipline \xe2\x80\x93 Tracks every report of an infraction of institution rules\n                                         filed against an inmate.\nTracks inmate\nmovement in\nevery BOP facility\nor while an\ninmate is in\ntransit,                                 Administrative Remedy       \xe2\x80\x93 Automatically produces and routes inmate data\nregardless of                            needed to complete an internal investigation.\nlocation or time\nof day.\n\n\n\n                                         Central Inmate Monitoring \xe2\x80\x93 Identifies inmates within SENTRY who\n                                         require special handling.\n\n\n\n\n                                         Designations \xe2\x80\x93 Assigns inmates to specific facilities.\n\n\n\n\n                                         Sentence Monitoring \xe2\x80\x93 Calculates and tracks all aspects of an inmate\xe2\x80\x99s\n                                         sentence.\n\n\n\n\n                  Source: The BOP\xe2\x80\x99s Information Technology Investment Report, March 1998.\n\n\n\n\n        6\n            SENTRY also includes a Property Management Module that tracks BOP\xe2\x80\x99s accountable property and automatically\n            computes the depreciation of capitalized property; however it is not directly applicable to the Inmate Population\n            Monitoring Module.\n                                                                    2\n\x0cSENTRY Database System Environment\n\n        SENTRY resides on a BOP mainframe7 computer located at the Justice\nData Center in Dallas, Texas (JDC-D) operated by the Department of Justice\n(Department) Justice Management Division\xe2\x80\x99s (JMD) Computer Services.\nOver 24,000 personal computers are in place - at approximately 200\nfacilities in the Department and BOP - to grant access to SENTRY by way of\nthe BOP\xe2\x80\x99s Washington, D.C., Network Control Center (NCC).8 These remote\nsites include federal correctional facilities, regional offices, Community\nCorrections Offices (CCO), and other selected offices. The following diagram\ndepicts SENTRY\xe2\x80\x99s network configuration:\n\n                                  SENTRY Network Configuration\n                                       Justice Data Center - Dallas, TX.\n\n      SENTRY is housed on a\n      mainframe computer at                                    DATA\n      the JDC-D in Dallas, TX.\n                                               MAINFRAME\n\n\n                                                                                      The Sprint FTS and\n                                                                                      local exchange\n                                          Sprint Federal Telecommunications\n                                                     System (FTS)                     carriers provide the\n                                                                                      communication links\n                                                                                      to SENTRY.\n\n\n\n\n                      SENTRY applications are                                  The BOP\xe2\x80\x99s NCC\n                      accessed by end-users,                                  Washington, D.C.\n                      Department and BOP\n                      facilities through the BOP\xe2\x80\x99s\n                      NCC.\n\n\n                                         Sprint Federal Telecommunications\n                                                    System (FTS)\n\n\n\n\n                                                     SENTRY users\n\n\n\n\nSource: The Office of the Inspector General\xe2\x80\x99s (OIG) analysis of the SENTRY Network Configuration.\n\n\n\n\n7\n    A mainframe is a large system capable of handling tens of thousands of online terminals. Large-scale\n    mainframes support multiple gigabytes of main memory and terabytes of disk storage. Large mainframes\n    use smaller computers as front-end processors that connect to communications networks.\n\n8\n    See Appendix IV for a listing of SENTRY\xe2\x80\x99s authorized users.\n\n\n                                                           3\n\x0c       SENTRY utilizes a client/server application. This is a network\narchitecture in which each computer or process on the network is either a\nclient or a server. Servers are powerful computers or processes dedicated\nto managing disk drives, printers, or network traffic. Clients are personal\ncomputers (PCs) or workstations on which users run applications. Clients\nrely on servers for resources, such as files, devices, and even processing\npower. The client part of the program is referred to as the front-end\nprocessor and the server part is referred to as the back-end.\n\n      SENTRY is comprised of approximately 700 program routines written\nin COBOL,9 which is used to process data to a database management\nsystem (DBMS). SENTRY allows concurrent sharing of data among multiple\nusers. The DBMS maintains the indices that are necessary to translate\napplication program data requirements into the information used by the\nmainframe\xe2\x80\x99s operating system to read or write data to SENTRY. The DBMS\napplication used for SENTRY is the Computer Associate\xe2\x80\x99s (CA) Integrated\nData Management System (IDMS). The IDMS\xe2\x80\x99s function is to process\ntransmitted data between SENTRY and the mainframe operating system.\nThe IDMS writes and retrieves data to and from the physical storage area of\nthe mainframe when SENTRY is accessed.\n\n       SENTRY communications are relayed by way of the BOP\xe2\x80\x99s Wide Area\nNetwork (WAN) circuits. The SENTRY mainframe is accessed by way of\nSystems Network Architecture (SNA) gateways,10 which ensure that all\nSENTRY circuits include end-to-end encryption. Each BOP facility connects\ndirectly to the BOP\xe2\x80\x99s NCC via the Sprint Federal Telecommunications System\n(FTS) network. The Sprint FTS and the local exchange carriers provide the\ncommunication links for SENTRY. However, the BOP migrated its data\ncommunications to the Justice Consolidated Network (JCN),11 which also is\nimplemented primarily through the Sprint FTS contract. The FTS currently\nprovides intercity telecommunications services for federal government\nagencies.\n\n\n\n9\n     COBOL (Common Business Oriented Language) is a popular high-level programming language used for business\n     applications that runs on large computers.\n\n10\n      SNAs are IBM\'s mainframe network standards consisting of a centralized architecture with a host computer\n     controlling many terminals. Enhancements have adapted SNA to today\xe2\x80\x99s peer-to-peer communications and\n     distributed computing environment. Gateways perform protocol conversion between different types of networks\n     or applications to facilitate communication between different systems.\n\n11\n     The OIG previously audited JCN (see OIG Audit Report Number 03-13, \xe2\x80\x9cIndependent Evaluation Pursuant to the\n     Government Information Security Reform Act,\xe2\x80\x9d fiscal year 2002, the Justice Consolidated Network, February\n     2002).\n\n                                                        4\n\x0c                             FINDINGS AND RECOMMENDATIONS\n\n                    Our application review of SENTRY identified weaknesses\n                    in 4 of the 27 FISCAM control areas that we tested.12\n                    In our judgment, these are not major weaknesses in\n                    SENTRY. We consider the system overall to be at a low\n                    risk to the protection of its data from unauthorized use,\n                    loss, or modification. Specifically, we found weaknesses\n                    in the areas of supervisory reviews (input process),\n                    secured/restricted terminals (audit logs), limited\n                    transactions for access controls, and computer\n                    matching of transaction data. We concluded that these\n                    weaknesses occurred because BOP management did not\n                    fully develop, document, or enforce the BOP policies in\n                    accordance with current Department policies and\n                    procedures. If not corrected, these weaknesses could\n                    impair the BOP\xe2\x80\x99s ability to fully ensure the integrity,\n                    confidentiality, and availability of data contained in\n                    SENTRY.\n\nI.         Authorization Controls (Input)\n\n      Authorization controls involve the process of granting or denying\naccess to a network resource, converting the data to an automated form,\nand entering the data into the application in an accurate, complete, and\ntimely manner. Testing of authorization controls includes examining the\ndata input process and determining if controls exist for ensuring:\n\n           \xe2\x80\xa2    Data are authorized prior to being entered;\n\n           \xe2\x80\xa2    Access restrictions exist to prevent unauthorized personnel from\n                obtaining blank source documents to record unauthorized\n                information and insert the document into production with\n                authorized documents;\n\n           \xe2\x80\xa2    Supervisory or independent reviews of the source document occurs\n                before its data is entered into the automated system;\n\n           \xe2\x80\xa2    Data entry terminals are only accessible to authorized users for\n                authorized purposes;\n12\n     Although we performed a full application review of SENTRY, this audit report does not include an evaluation of\n     SENTRY\xe2\x80\x99s general controls. As part of the OIG\xe2\x80\x99s Federal Bureau of Prisons Annual Financial Statement for fiscal\n     year 2002, we evaluated the general controls over select SENTRY systems. In that report, weaknesses were\n     identified in the area of application software development/change control, which represents one of General\n     Accounting Office\xe2\x80\x99s (GAO) six FISCAM general controls.\n                                                          5\n\x0c           \xe2\x80\xa2   Users are limited to what transactions they can enter;\n\n           \xe2\x80\xa2   Master files are configured to assist with identifying unauthorized\n               transactions;\n\n           \xe2\x80\xa2   Exception reports are generated and reviewed before transactions\n               are posted; and\n\n           \xe2\x80\xa2   Duties are appropriately segregated among staff.\n\n      Our audit of the BOP\xe2\x80\x99s authorization controls for SENTRY found that\nauthorization controls were in place within the areas of controlled and\nauthorized source documents;13 unauthorized transactions; and reported\nexceptions. However, we identified weaknesses with respect to SENTRY\xe2\x80\x99s\ninput process, review of audit logs, and access controls.\n\n           Supervisory Reviews (Input Process)\n\n      During the input process, a supervisory (or independent) review of the\ndata should occur before it is entered into the automated system. This\ncontrol is used to ensure that unauthorized transactions are not being\nentered and that exceptions are reviewed and corrected before transactions\nare posted. Since SENTRY is used for collecting, maintaining, and reporting\ninmate information vital to the operation of the BOP facilities, it is critically\nimportant to maintain the integrity and quality of the data that lies within it.\nThe BOP\xe2\x80\x99s Information Technology Investment Report (Section 2.2), dated\nMarch 1998, requires accurate entry of data to help provide assurance that\ndata integrity is being maintained.\n\n      We performed survey work of the BOP\xe2\x80\x99s mandatory procedures for\nSENTRY\xe2\x80\x99s input process at one field office (Chicago, Illinois), and we\nperformed detailed testing at two regional offices (Philadelphia,\nPennsylvania; and Annapolis Junction, Maryland). To review for\nauthorization and correct entry into SENTRY, we selected a total of 48\ninmate files from the Philadelphia and Annapolis Junction offices. From each\ncase file, we examined the mandatory source documents (the Court\xe2\x80\x99s\nJudgment and Commitment Order (J&C), the USMS Judgment and Individual\nCustody and Detention Report,14 and the United States Probation Office\xe2\x80\x99s\npre-sentence investigation report) and compared them to the information\n13\n     Controlled and authorized source document controls are implemented to ensure that access to blank documents\n     is restricted to authorized personnel.\n14\n     This form is referred to as Form USM-129.\n\n\n                                                        6\n\x0centered into SENTRY. These three source documents are received by the\nCCO and are used to complete the initial processing of an inmate\nassignment.15\n\n       We selected a total of 23 case files for review at the BOP\xe2\x80\x99s Philadelphia\nCCO. Two of the 23 case files identified data entry errors. One case file\ncontained an incorrect \xe2\x80\x9coffense/charge code\xe2\x80\x9d (\xe2\x80\x9c391\xe2\x80\x9d) for \xe2\x80\x9cattempt and\nconspiracy\xe2\x80\x9d versus a correct code (\xe2\x80\x9c381\xe2\x80\x9d) for \xe2\x80\x9ccreate, manufacture,\ndistribute or dispense controlled narcotic drug.\xe2\x80\x9d The second case file\nrevealed an incorrect inmate\xe2\x80\x99s commitment date. A source document (J&C)\nshowed a commitment date of \xe2\x80\x9c09/19/02,\xe2\x80\x9d yet the date entered in SENTRY\xe2\x80\x99s\ndatabase was \xe2\x80\x9c09/18/02.\xe2\x80\x9d\n\n       At the BOP\xe2\x80\x99s Annapolis Junction CCO, we reviewed 25 case files. We\nidentified data entry errors for three case files. At this office, we again\nfound an inmate \xe2\x80\x9cdescription of offense\xe2\x80\x9d code incorrectly entered. In this\ncase, an incorrect offense code of \xe2\x80\x9c381\xe2\x80\x9d was entered instead of the code\n\xe2\x80\x9c382\xe2\x80\x9d \xe2\x80\x9cmarijuana charge\xe2\x80\x9d as indicated on the source document (PSI report).\nAdditionally, we found a different inmate\xe2\x80\x99s record was entered in SENTRY\nwith an incorrect \xe2\x80\x9cdate of offense.\xe2\x80\x9d The source document (J&C) contained\nonly the month and year. However, the date entered into SENTRY was\n\xe2\x80\x9c12-31-1999.\xe2\x80\x9d Lastly, some information contained in an inmate\xe2\x80\x99s case file\nwas not entered into SENTRY. The source document (J&C) indicated that\nthe inmate paid offense fines of $500 and assessments fines of $50.\nHowever, this information was not entered in the \xe2\x80\x9cFelony Assessment &\nFines\xe2\x80\x9d data fields in SENTRY.\n\n       The errors identified above were disclosed to the BOP and corrected in\nthe presence of our auditors. While the input errors we identified were\nrelatively minor, they represent a weakness in internal controls because the\nseverity of an input error could result in a more serious outcome. For\nexample, the repercussions of an incorrect offense/charge code could result\nin transporting an inmate to an inappropriate facility.\n\n       In our judgment, these errors occurred because: 1) the BOP does not\nenforce the use of the BOP\xe2\x80\x99s form BP-337 as a primary document for\ninputting data into SENTRY, and 2) the BOP\xe2\x80\x99s primary form BP-337 does not\nidentify which source documents are to be used to complete mandatory\ninformation into SENTRY. Additionally, the multiple source documents used\nto complete the BP-337 sometimes contain conflicting information or lack\nmandatory information. Since the BOP Community Corrections Management\n\n15\n     The BOP transfers information obtained from the courts, the USMS, or other law enforcement documents to a\n     single document (the Male/Female Inmate Load and Designations Form BP-337). The BOP uses the BP-337 as\n     the source document for entering consolidated data into SENTRY.\n                                                       7\n\x0cOperational Procedures, Policy Standards (PS) 5100.07, does not require the\nBP-337 to be completed for all data input into SENTRY from a single source\ndocument (or state which source document should be used to complete the\nvarious sections of the BP-337), this causes confusion as to which source\ndocument to use to obtain the mandatory information.\n\n     Recommendations:\n\n           We recommend the BOP Director ensure that BOP management:\n\n           1. Enforce the BOP (PS) 5100.07, which states that all CCOs are\n              to use the BP-337 for inputting initial inmate data as the sole\n              source document.\n\n           2. Redesign the BP-337 so that mandatory information needed\n              for tracking BOP inmates can be documented.\n\n           3. Modify the BP-337 to indicate which source document should\n              be used to complete each field within this form.\n\n     Secured/Restricted Terminals (Audit Logs)\n\n       Audit logs (commonly known as audit trails) maintain a record of\nactivity by system or application processes. Audit logs provide a means to\nhelp establish several security\xe2\x80\x93related objectives, including individual\naccountability, reconstruction of events, intrusion detection, and problem\nidentification.\n\n      Automated controls, such as an audit log that produces exception\nreports, help to ensure data integrity and can alert management to possible\nmisuses of the system. We found that the BOP end-users and management\ndepend on manual verification of transactions by performing cross-edit\nchecks of source documents to verify data integrity and completeness of\ntransactions entered into SENTRY.\n\n       Currently, the BOP tracks all of SENTRY\'s input and output activities\nthrough an automated audit log, which contains system data such as the\nidentity of the person and device having access to the database, the date\nand time of user logon/logoff activities, and data processed. At present, the\nBOP uses these audit logs for the sole purpose of monitoring SENTRY\'s\noperational performance.\n\n      Although the SENTRY audit logs used to monitor system performance\nare capable of generating ad hoc exception reports, the BOP does not\n                                     8\n\x0croutinely produce these reports from the logs. Additionally, we found that\nthe BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide,\xe2\x80\x9d dated June 23, 2000, does not\nrequire a periodic review of exception logs. Without requiring a periodic\nreview of audit logs, unauthorized activities can go unnoticed,\nuninvestigated, or unresolved.\n\n      Department of Justice Order 2640.2D, Chapter 2, \xe2\x80\x9cSecurity\nRequirements\xe2\x80\x9d (Accountability and Audit Trails), requires that audit logs be\nmaintained and reviewed for activities that could modify, bypass, or negate\nthe system\'s security safeguards.\n\n     In our judgment, these weaknesses exist because the BOP failed to\nimplement a process for routinely identifying exceptions using audit logs.\n\n      Recommendations:\n\n            We recommend the BOP Director ensure that BOP management:\n\n            4. Update the BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide,\xe2\x80\x9d dated\n               June 23, 2000, to require the routine generation and review\n               of exception reports; and\n\n            5. Provide the Information Security Officer with the exception\n               reports generated from the audit logs in the time period\n               specified by the BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide.\xe2\x80\x9d\n\n      Limited Transactions (Access Controls)\n\n      Limited transaction controls restrict the access of legitimate users to\nthe specific systems, programs, and files needed to complete work\nassignments and to prevent unauthorized users from gaining access to\ncomputing resources. Limiting transactions include utilizing system access\ncontrols and ensuring assigned personnel duties are properly segregated.\n\n      Access controls are designed to limit or detect access to computer\nprograms, data, and equipment to protect these resources from\nunauthorized modification, disclosure, loss, or impairment. They also serve\nas a key control for ensuring that staff duties and responsibilities are\nimplemented in a way that safeguards programs. Logical access controls\ninvolve the use of computer hardware and security software programs to\nprevent or detect unauthorized access by requiring users to input unique\nuser identifications, passwords, or other identifiers that are linked to\npredetermined access privileges. Additionally, controls are designed to\nreduce the risk of errors or fraud from occurring and going undetected.\n                                      9\n\x0cPolicies outlining the supervision and assignment of responsibilities to\ngroups and related individuals should be documented, communicated, and\nenforced. Such controls keep individuals from subverting a critical process.\n\n       The BOP\'s \xe2\x80\x9cSENTRY System Security Plan,\xe2\x80\x9d dated February 25, 2000,\nrequires restricting access to SENTRY through the use of software and\nhardware profiles. The BOP access controls are intended to implement two\nlines of defense \xe2\x80\x94 one at the application level, the other at the workstation\nlevel. The use of a user identification/password requires validation and\nauthentication at the application level. At the workstation level,\nworkstations are configured to identify their location and authorization\nfunctional capabilities to SENTRY\xe2\x80\x99s system platform. Additionally, each\nworkstation is required to be configured in a manner that limits access to\nSENTRY according to users\xe2\x80\x99 identification and profiles. These limitations are\nrequired to restrict access to menus, fields, and records within SENTRY.\nAccording to the BOP\xe2\x80\x99s Information Technology Investment Report, dated\nMarch 31, 1998, some transactions also require SENTRY users to utilize\nspecial access codes in addition to their user identification/password.\n\n       Our review of SENTRY\xe2\x80\x99s access controls disclosed that the combination\nof authorization profiles and terminal access authority did not function as\nrequired. Users with limited access profiles were able to process\ntransactions above their level of access when logged onto terminals\ndesignated for users with higher authorization. This control weakness was\nidentified when a user was requested to demonstrate the BOP\xe2\x80\x99s access\ncontrols in place. The user logged onto his assigned workstation and was\nunable to access inmates\xe2\x80\x99 restricted medical records. However, when the\nsame user logged onto a different workstation assigned to another user with\nhigher authorization, the user was granted access to sensitive medical\nrecords without proper authorization.\n\n      Additionally, our audit disclosed that the BOP does not have\ndocumentation defining who should have access to sensitive medical\nrecords. At the time of our audit, we found that a Community Corrections\nTrainee was permitted to view an inmate\xe2\x80\x99s sensitive medical history records\nwithin SENTRY. Duties that are not appropriately segregated significantly\nincrease the risk of releasing private information.\n\n      For SENTRY workstations that are configured to operate at a high level\nof security, access controls should be in place to prevent users with lower\nlevels of authorization from accessing restricted data. The failure to ensure\nthat access controls are properly implemented could cause critical mistakes\nsuch as modifications of inmates\xe2\x80\x99 medical records, transfer records, or\nrelease dates.\n                                     10\n\x0c       Department of Justice Order 2640.2D requires access controls to\nensure system users can only access the resources necessary to accomplish\ntheir duties and no more. Additionally, OMB Circular A-130 requires\nagencies to implement the practice of \xe2\x80\x9cleast privilege,\xe2\x80\x9d whereby user access\nto systems is restricted to the minimum level possible.\n\n      Recommendation:\n\n           We recommend the BOP Director ensure that BOP management:\n\n           6. Enforce the BOP\xe2\x80\x99s existing access control policy by properly\n              configuring SENTRY\xe2\x80\x99s workstation controls to ensure that\n              users with system authorization are restricted to areas of the\n              system that they have been authorized to access, and no\n              more.\n\nII.   Completeness Controls (Processing)\n\n       Completeness controls are designed to ensure that all authorized\ntransactions are processed and completed prior to being entered into the\ncomputer. These controls include the use of record counts and control\ntotals, computer sequence checking, computer matching of transaction data\nwith data in a master or suspense file, and checking of reports for\ntransaction data.\n\n      Our audit of the BOP\xe2\x80\x99s completeness controls for SENTRY found\ncontrols were in place for record counts and control totals, computer\nsequence checking, checking reports for transaction data, completeness of\ndata processed in the processing cycle, and completeness of data processed\nfor the total cycle. However, we identified weaknesses with respect to\nSENTRY\xe2\x80\x99s computer matching of transaction data.\n\n      Computer Matching of Transaction Data\n\n      The BOP\xe2\x80\x99s Community Corrections Management Operational\nProcedures, Policy Standards 1237.12 requires all systems, whether\nautomated or manual, to quickly, accurately, and reliably provide\ninformation. Additionally, it requires that only authorized and accurate\ninformation be entered into databases. When incorrect transactions are\nprocessed, controls should be in place to ensure that these items are\ninvestigated and resolved in a timely manner.\n\n\n\n                                     11\n\x0c      We tested the BOP\xe2\x80\x99s completeness controls for SENTRY and found that\nthe BOP\xe2\x80\x99s SENTRY \xe2\x80\x9cGeneral Use Manual\xe2\x80\x9d (GUM) did not reflect current\nsystem settings. The manual provides instructions for inputting initial\ninmate records into SENTRY. However, when we attempted to simulate the\naddition of a new inmate into SENTRY (by following instructions indicated in\nthe GUM) we noted that the manual failed to include the required step of\nupdating an inmate identification number screen prior to initiating the\naddition of an inmate.\n\n       Recommendation:\n\n            We recommend the BOP Director ensure that BOP management:\n\n            7. Update SENTRY\xe2\x80\x99s General Use Manual to reflect proper\n               procedures for entering initial inmate records into SENTRY.\n\nIII.   Accuracy Controls (Output)\n\n      Accuracy controls are implemented to ensure that data recording is\nvalid and accurate in order to produce reliable results. The implementation\nof these controls includes procedures that are well designed for data entry,\neasy to follow data entry screens, limit and reasonableness checks, and\nvalidation of override actions for appropriateness and correctness. Without\naccuracy controls, invalid data may enter the system and produce unreliable\nresults.\n\n       Our testing of the BOP\xe2\x80\x99s SENTRY accuracy controls confirmed that\ncontrols were in place for source documents, preformatted screens, key\nverification, automated entry devices, programmed validation, tests of\ncritical calculations, restricting overriding data validation, controlled rejected\ntransactions, reported of erroneous data, control output, and review of\nprocessing reports.\n\nIV.    Controls Over Integrity of Processing and Data Files\n\n      Controls over integrity of processing and data files are used to ensure\nthat the current version of production programs and data files is used during\nsystem processing. The implementation of these controls includes:\n(1) executing program routines that can verify the proper version of\ncomputer files, (2) protecting against concurrent file updates, and\n(3) checking for internal file header labels to prevent the system end-user\nfrom bypassing system controls.\n\n\n                                       12\n\x0c      The NIST Federal Information Processing Standards Publication 73,\nSection 3.1.3, states that checking of input data during processing and\nvalidation of data that is generated by the application system are essential\nfor assuring data integrity. Errors should be detected and corrected as soon\nas possible in order to prevent the propagation of invalid data throughout\nthe system and the potential contamination of the system database.\n\n      We confirmed that controls were in place for SENTRY to check for the\nappropriate program. BOP end-users are only permitted access to the\nproduction environment and are locked into the production software version\nof SENTRY. Further, we found that record locks were in place within the\ndatabase disallowing two end-users from updating the same record\nsimultaneously. Finally, we found that SENTRY is not updated through batch\nprocessing, therefore, a test to determine whether SENTRY programs can or\ncannot bypass file header labels did not apply.\n\n                                                  CONCLUSION\n\n       Our application review of SENTRY identified weaknesses in 4 of the 27\nFISCAM control areas that we tested. We do not consider our findings in\nthese areas to be major weaknesses, and we assessed SENTRY overall at a\nlow risk to the protection of its data from unauthorized use, loss, or\nmodification.16 Application control weaknesses were identified in the areas\nof supervisory reviews, audit logs, access controls, and computer matching\nof transaction data. Specifically, we identified weaknesses in the inputting of\nincorrect offense/charge codes, incorrect inmate\xe2\x80\x99s commitment date,\nincorrect date of offense, and offense fines not entered into SENTRY. These\ninput errors represent a weakness in internal controls that should be\ncorrected. We also found that the BOP failed to monitor audit log exception\nreports. Without requiring a periodic review of audit logs, unauthorized\nactivities could go unnoticed, uninvestigated, or unresolved. Moreover, our\nreview of SENTRY\xe2\x80\x99s access controls disclosed that the combination of\nauthorization profiles and terminal access authority did not function as\nrequired. Users with limited access profiles were able to process\ntransactions above their level of access when logged onto terminals\ndesignated for users with higher authorization. We also tested the\ncompleteness of controls for SENTRY and found that the BOP\xe2\x80\x99s SENTRY GUM\nfailed to include a required step while updating inmate information.\n\n16\n     Although we performed a full application review of SENTRY, this audit report does not include an evaluation of\n     SENTRY\xe2\x80\x99s general controls. As part of the OIG\xe2\x80\x99s Federal Bureau of Prisons Annual Financial Statement for fiscal\n     year 2002, we evaluated the general controls over select SENTRY systems. In that report, weaknesses were\n     identified in the area of application software development/change control, which represents one of the six\n     FISCAM general control areas.\n\n\n                                                          13\n\x0c      We concluded that these weaknesses occurred because BOP\nmanagement did not fully develop, document, or enforce the BOP policies in\naccordance with current Department policies and procedures. If not\ncorrected, these weaknesses could impair the BOP\xe2\x80\x99s ability to ensure the\nintegrity, confidentiality, and availability of data contained in SENTRY.\n\n\n\n\n                                    14\n\x0c                                    OTHER REPORTABLE MATTER\n\n      OMB Circular A-130, Appendix III, Section A 3.b.2 (d), requires that\na contingency plan be established and periodically tested to perform the\nagency function supported by the application in the event of failure of its\nautomated support.\n\n      GAO\xe2\x80\x99s FISCAM recommends the frequency of contingency plan testing\nshould vary depending on the criticality of the entity\xe2\x80\x99s operations.\nAdditionally, FISCAM states that generally, contingency plans should be fully\ntested about once every year or two, whenever significant changes to the\nplan have been made, or when significant turnover of key personnel has\noccurred. Industry best practices are more stringent and indicate that a\nnew or revised contingency plan should be fully tested and implemented\nwithin 90 days of development.17\n\n      Although testing of contingency planning was not part of the FISCAM\xe2\x80\x99s\napplication control testing that we performed,18 we noted during our review\nthat SENTRY\xe2\x80\x99s contingency plan was last updated in September of 2002 but\nwas not tested. Prior to the issuance of this report, we confirmed with the\nBOP that testing of the BOP\xe2\x80\x99s SENTRY contingency plan was performed on\nMarch 27, 2003, and the plan was in the review process. We suggest that\nBOP continue to test its contingency plan and update the plan as\ncircumstances warrant.\n\n      We also contacted the JMD regarding this matter. JMD informed us\nthat the Department\xe2\x80\x99s standards (Department of Justice Order 2640.2D) are\ncurrently being modified to reflect the industry best practice of the 90-day\nrequirement for testing contingency plans. We agree with JMD in\nimplementing this more stringent requirement.\n\n\n\n\n17\n     Department of Justice Order 2640.2D, Chapter 1, \xe2\x80\x9cSecurity Program Management,\xe2\x80\x9d Section 9(c) requires that\n     contingency plans be tested annually or as soon as possible after a significant change to the environment that\n     would alter the in-place assessed risk.\n18\n     Contingency planning is a FISCAM general control.\n                                                          15\n\x0c                                                                                              APPENDIX I\n\n\n                             OBJECTIVES, SCOPE, AND METHODOLOGY\n\n      Our audit objectives were to review the application controls for the\nBOP\xe2\x80\x99s SENTRY database and determine whether inmate data entered in\nSENTRY are valid, properly authorized, and completely and accurately\nprocessed.19 In order to meet these objectives, we tested SENTRY\napplication controls using the GAO\xe2\x80\x99s FISCAM, which divides the testing of\napplication controls into four major areas: authorization controls (input),\ncompleteness controls (processing), accuracy controls (output), and controls\nover integrity of processing and data files.\n\n       For testing of SENTRY\xe2\x80\x99s application controls, we judgmentally selected\n3 of the 29 CCOs to conduct onsite reviews of their operational workflow \xe2\x80\x94\nAnnapolis Junction, Maryland; Philadelphia, Pennsylvania; and Chicago,\nIllinois. These CCOs were judgmentally selected because they process large\nvolumes of inmate data into SENTRY.\n\n      Furthermore, we performed reviews of source documents at the three\nCCO offices to test input, process, output, and data integrity controls. In\naddition to the testing performed at the selected CCOs, we interviewed\napproximately 40 BOP officials. These interviews included the BOP\nmanagers and officials from the Computer Services Administration,\nMainframe Systems Support, Systems Development Branch, Policy and\nInformation Resource Management, Office of Information Systems, and\nCommunity Corrections. Additionally, we reviewed application, operation,\nand end-user manuals; the BOP\xe2\x80\x99s and Department information technology\nmanagement policy and procedures; the BOP\xe2\x80\x99s project management\nguidance; the BOP\xe2\x80\x99s organizational structures and federal court cases; and\nprior GAO and OIG reports specific to SENTRY.\n\n      Findings identified at the time of fieldwork were communicated to the\nBOP to initiate corrective action. All audit work was performed in\naccordance with Government Auditing Standards and were based on the\nGAO\xe2\x80\x99s FISCAM, the BOP\xe2\x80\x99s Standard Operating Procedures, and federal laws\nand regulations governing inmate processing within the BOP facilities.\n\n\n\n\n19\n     Although we performed an application controls review of SENTRY, this audit report does not include an\n     evaluation of SENTRY\xe2\x80\x99s general controls. As part of our testing of the BOP\xe2\x80\x99s Annual Financial Statement for\n     fiscal year 2002, we conducted a general control review of SENTRY\xe2\x80\x99s operating environment. That general\n     control review identified weaknesses in the area of system development/change control, which represents one\n     of the six FISCAM general control areas.\n\n                                                        16\n\x0c                                                                 APPENDIX II\n\n\n          FEDERAL INFORMATION SYSTEM CONTROL AUDIT MANUAL\n                      APPLICATION CONTROL AREAS\nAuthorization Controls (Input)                                 VULNERABILITIES\nData are authorized\n1. Controlled and authorized source documents\n2. Supervisory reviews (Input process)                                \xe2\x88\x9a\nRestricted terminals\n3. Secured/restricted terminals (Audit logs)                          \xe2\x88\x9a\n4a. Limited transactions (Access controls)                            \xe2\x88\x9a\n4b. Limited transactions (Segregation of duties)\nMaster files/Exception Reporting\n5. Unauthorized transactions\n6. Reported exceptions\nCompleteness Controls (Processing)\nComputer processed transactions\n 7.   Record counts and control totals\n 8.   Computer sequence checking\n 9.   Computer matching of transaction data                           \xe2\x88\x9a\n10.   Checking reports for transaction data\nReconciliations\n11. Completeness of data processed in the processing cycle.\n12. Completeness of data processed for the total cycle.\nAccuracy Controls (Output)\nData entry design\n13.   Source documents\n14.   Preformatted screens\n15.   Key verification\n16.   Automated entry devices\nData validation\n17. Programmed validation\n18. Tests of critical calculations\n19. Restricted overriding data validation\nErroneous data\n20. Controlled rejected transactions\n21. Reported erroneous data\nOutput reports\n22. Control output\n23. Review of processing reports\nControls over Integrity of Processing and Data Files\n24.   Current versions of production programs and data files\n25.   Routine to verify proper version\n26.   Routine for checking internal file header labels\n27.   Protection against concurrent file updates\n\n\n                                               17\n\x0c                                                               APPENDIX III\n\n\n             APPLICATION CONTROLS REVIEW GUIDELINES\n\n                 GENERAL ACCOUNTING OFFICE\n     FEDERAL INFORMATION SYSTEM CONTROL AUDIT MANUAL\n\n      The application control guidelines used for this audit were obtained\nfrom the GAO\xe2\x80\x99s FISCAM. The information below details the sections from the\nFISCAM used during our review of SENTRY.\n\nOVERVIEW\n\n      Application controls are the structure, policies, and procedures\nthat apply to separate, individual application systems, such as accounts\npayable, inventory, payroll, grants, or loans. An application system is\ntypically a collection or group of individual computer programs that\nrelate to a common function. In the federal government, some\napplications may be complex comprehensive systems, involving\nnumerous computer programs and organizational units, such as those\nassociated with benefit payment systems. For the purposes of this\ndocument, application controls encompass both the routines contained\nwithin the computer program code, and the policies and procedures\nassociated with user activities, such as manual measures performed by\nthe user to determine that data were processed accurately by the\ncomputer.\n\n       Application controls help make certain that transactions are valid,\nproperly authorized, and completely and accurately processed by the\ncomputer. They are commonly categorized into three phases of a processing\ncycle:\n\n        \xe2\x80\xa2   Input - data are authorized, converted to an automated form,\n            and entered into the application in an accurate, complete, and\n            timely manner;\n\n        \xe2\x80\xa2   Processing - data are properly processed by the computer\n            and files are updated correctly; and\n\n        \xe2\x80\xa2   Output - files and reports generated by the application actually\n            occur and accurately reflect the results of processing, and reports\n            are controlled and distributed to the authorized users.\n\n\n\n\n                                      18\n\x0c      Some guides provide additional categories of application controls. For\nexample, data origination is a breakout of input it controls to focus on source\ndocuments and their need for authorization and proper preparation and\ncontrol. Also, data storage and retrieval focuses on access to and use of\ndata files and protecting their integrity.\n\n       Instead of using the phases of a processing cycle, this document uses\ncontrol categories that better tie in with the Specific Control Evaluation\nWorksheets (SCE) found in the FISCAM. The SCE is used to document the\ncontrols evaluation and is prepared for each significant accounting\napplication. Included on the SCE are columns for recording the control\nobjectives and control techniques being evaluated and accuracy including\nwhether the assertion and related transactions are authorized, complete,\nvalid, and accurate. The control objectives and techniques addressed in this\nchapter are consistent with other guidance, but our categorization, tying to\nthe SCE, are the following:\n\n       \xe2\x80\xa2   Authorization controls - aligns with the financial statement\n           accounting assertion of existence or occurrence. This assertion, in\n           part, concerns the validity of transactions and that they represent\n           economic events that actually occurred during a given period.\n\n       \xe2\x80\xa2   Completeness controls - relates to the financial statement\n           accounting assertion on completeness, which deals with whether\n           all valid transactions are recorded and properly classified.\n\n       \xe2\x80\xa2   Accuracy controls - relates with the financial statement assertion\n           on valuation or allocation. This assertion deals with whether\n           transactions are recorded at correct amounts. The control\n           category, however, is not limited to financial information, but also\n           addresses the accuracy of other data elements.\n\n       \xe2\x80\xa2   Controls over integrity of processing and data files - if deficient,\n           could nullify each of the above control types and allow the\n           occurrence of unauthorized transactions, as well as contribute to\n           incomplete and inaccurate data.\n\nAUTHORIZATION CONTROLS\n\n       Only authorized transactions should be entered into the application\nsystem and processed by the computer. Assessing authorization controls\ninvolves evaluating the entity\xe2\x80\x99s success in performing each of the following\ncritical elements:\n\n                                       19\n\x0cCritical Elements:\n\n  \xe2\x80\xa2   All data are authorized before entering the application system.\n\n  \xe2\x80\xa2   Restrict data entry terminals to authorized users for authorized\n      purposes.\n\n  \xe2\x80\xa2   Master files and exception reporting help ensure all data processed are\n      authorized.\n\n       Data should be authorized before it is entered into the application\nsystem. Federal financial management systems are often characterized as\nlarge complex \xe2\x80\x98legacy\xe2\x80\x99 systems and often involve a multitude of documents\nthat flow through various work steps. Paper source documents still play a\nsignificant role for originating data that enter application systems in the\nfederal government. These source documents should fall under control\nmeasures so that unauthorized transactions are not submitted to and\nprocessed by the application. Also, data whether from a source document or\nnot should undergo an independent or supervisory review prior to entering\nthe application.\n\nSource documents are controlled and require authorizing signatures.\n\n      Control over source documents should begin even before data is\nrecorded on the document. Access restrictions over blank source documents\nshould prevent unauthorized personnel from obtaining a blank source\ndocument, recording unauthorized information, and inserting the document\nin the flow with authorized documents and possibly causing a fraudulent or\nmalicious transaction to occur. Use of pre-numbered source documents\ncould help identify unauthorized documents that fall outside the range of\nauthorized numbers for documents being prepared for data entry.\n\n      Key source documents for an application should require an authorizing\nsignature, and the document should provide space for the signature by an\nauthorized official.\n\n      For batch application systems - i.e., source documents are processed\nin batches - the source documents should be collected together and a batch\ncontrol sheet should be prepared for individual batches. The control sheet\nshould have space for recording the date, a batch control number, the\nnumber of documents in the batch, a control total for a key field in the\ndocuments, and the identification of the user submitting the batch.\nEstablishing control over batches helps detect unauthorized modifications to\n\n                                     20\n\x0ca document and prevents unauthorized documents from being entered into\nthe application system. The document counts and control totals also help to\ndetermine whether all transactions are completely entered and processed by\nthe computer. The following sections are also important to ensuring all\ntransactions are authorized, particularly when the application system is\ndesigned such that transactions are entered individually instead of in\nbatches.\n\nSupervisory or independent reviews of data occur before entering\nthe application system.\n\n      Providing supervisory or independent review of data before entering\nthe application system helps prevent the occurrence of unauthorized\ntransactions. A data control unit is effective for this purpose and this\nfunction has evolved as technology has advanced. With earlier systems,\nsource documents were batched in the user department and sent to a data\ncontrol unit that was organizationally under the information systems\ndepartment. This unit monitored data entry and processing of the\ndocuments, seeing that all batches were received, entered, and processed\ncompletely. In addition, personnel in this unit verified that each source\ndocument was properly prepared and authorized before the data on the\ndocument was entered into the system.\n\n      This function has migrated to the user department as it gained access\nto application systems through computer terminals. Several or more\npersonnel in the user department may now enter source documents into a\ntransaction file that is not released for processing until a supervisory or\nindependent review occurs. A user department control unit may have the\nresponsibility to see that entered transactions are supported by a source\ndocument that contains a valid authorizing signature. Also, supervisors in\nthe user department may hold this responsibility. These application systems\nmay have a separate authorization screen accessed by computer terminal by\ncontrol unit or supervisory personnel. After verifying the input transactions,\nthe control unit or supervisory personnel enter the required authorization\nand release the data for further processing.\n\n      Unauthorized personnel who have unrestricted access to data entry\nterminals (as well as by authorized users who are not restricted in what\ntransactions they can enter) can compromise the integrity of application\ndata. Without limits, unauthorized personnel and authorized users could\nenter fraudulent or malicious transactions. To counter this risk, both\nphysical and logical controls are needed to restrict data entry terminals to\nauthorized users for authorized purposes. This section provides an overview\n\n                                     21\n\x0cof controls relevant to restricting data entry terminals and limiting users in\nwhat transactions they can enter. Any work done in this section should be\ndone in conjunction with the other two sections.\n\nData entry terminals are secured and restricted to authorized users.\n\n      Data entry terminals should be located in physically secure rooms.\nWhen terminals are not in use, these rooms should be locked, or the\nterminals themselves should be capable of being secured to prevent\nunauthorized use. Supervisors should sign on to each terminal device, or\nauthorize terminal usage from a program file server, before an operator can\nsign on to begin work for the day. Each operator should be required to use\na unique password and identification code before being granted access to\nthe system.\n\n      Data entry terminals should be connected to the system only during\nspecified periods of the day, which corresponds with the business hours of\nthe data entry personnel. Each terminal should automatically disconnect\nfrom the system when not used after a specified period of time.\n\n      Where dial-up access is used to connect terminals to the system,\nconnection should not be completed until the system calls back to the\nterminal. These terminals should generate a unique identifier code for\ncomputer verification. Such procedures help limit access to known,\nauthorized terminals.\n\n      On-line access logs should be maintained by the system, such as\nthrough the use of security software, and should be reviewed regularly for\nunauthorized access attempts. All transactions should be logged as they are\nentered, along with the terminal ID that was used, and the ID of the person\nentering the data. This builds an audit trail and helps hold personnel\naccountable for the data they enter.\n\nUsers are limited in what transactions they can enter.\n\n      It is not enough to restrict access to data entry terminals to authorized\nusers, as these users may still enter unauthorized transactions, if they are\nnot limited on what transactions they can enter. Limits can be accomplished\nthrough authorization profiles. One authorization profile level can be placed\nover the terminal so that only specified transactions can be entered from a\ngiven terminal. For example, a terminal in a payroll office may be granted\nauthorization so that payroll information, such as employee time and\nattendance and pay withholdings, could be entered from that terminal.\n\n                                      22\n\x0cHowever, to effect a separation of duties, this terminal could be denied\nauthorization to enter personnel actions, such as hirings that would create a\nnew employee pay record, or promotions. These latter transactions are\nnormally restricted to a personnel or human resources office.\n\n      Authorization profiles can also be established for user personnel.\nThese personnel can be denied authorization for initiating transactions that\nwould add or change a record on the authorized vendor master file. If one\nemployee had the capability to initiate both types of transactions, the\nemployee could potentially cause a fraudulent transaction by creating a\nvendor master record and initiating a payment that would be sent to the\nspecified address or bank account controlled by the employee.\n\n      Before the auditor can rely on authorization profiles to reduce the\naudit risk, the auditor must determine the adequacy of the general controls\nover the profiles. That is, if the general controls are not effective in\npreventing unauthorized changes to the data matrix or table that constitutes\nthe profile, the auditor should not rely upon this control.\n\n       An effectively controlled application system will also have authorization\ntype controls to monitor data as it is processed. Two such controls include\nthe use of master files and exception reporting that help determine the\nvalidity of transactions. These controls require computer programs to\nperform the validity checks and involve a process commonly referred to as\ndata validation and editing. Many of the programmed checks in this process\nalso concern the validity and accuracy of data fields in a transaction record,\nincluding whether a data field has a valid code, such as a pay withholding\ncode used in a payroll application system. This section focuses on checks to\ndetermine the validity of a transaction. Data validation and editing is a more\ndetailed discussion of data validation and editing, focusing on checks to\ndetermine the validity and accuracy of data fields.\n\nMaster files help identify unauthorized transactions.\n\n       A master file is a computer file that contains account and/or reference\ninformation that are integral to application systems, such as a payroll master\nfile containing authorized employees and pay data. Master files and their\napproved records can help identify unauthorized transactions. For example,\nan accounts payable system should have a master file of approved vendors.\nAs payment transactions are processed, they would be compared with this\nfile and any payment for a vendor not on the file would be rejected and\ninvestigated by supervisor personnel, or by personnel specifically assigned\nthis responsibility that do not also have responsibility for initiating vendor\n\n                                      23\n\x0cpayments. Using this process, there is greater assurance that all\ntransactions not rejected are authorized and valid payments.\n\nExceptions are reported to management for their review and approval.\n\n      An exception report lists items requiring review and approval. These\nitems may be valid, but exceed parameters established by management.\nImplementation of this control may vary, such that one system may print\nchecks and have them routed to management to be released after their\napproval, and another system may hold the transaction in a suspense\naccount until management enters an authorizing indicator, thus triggering\nthe disbursement.\n\n      Before the auditor can rely on these controls to reduce the audit risk,\nthe auditor must, as in the previous section, determine the adequacy of the\ngeneral controls over these controls. That is, these controls would be\nrendered ineffective if the general controls would not prevent unauthorized\nchanges to the master files and exception criteria, and to the program code\nresponsible for performing the file and criteria comparisons with transaction\ndata.\n\nCOMPLETENESS CONTROLS\n\n      All authorized transactions should be entered into and completely\nprocessed by the computer. Assessing the controls over completeness\ninvolves evaluating the entity\xe2\x80\x99s success in performing each of the critical\nelements listed below.\n\nCritical Elements:\n\n   \xe2\x80\xa2   All authorized transactions are entered into and processed by the\n       computer, and\n\n   \xe2\x80\xa2   Reconciliation is performed to verify data completeness.\n\n      A control for completeness is one of the most basic application\ncontrols, but is essential to ensure that all transactions are processed, and\nmissing or duplicate transactions are identified. The most commonly\nencountered controls for completeness include the use of record counts and\ncontrol totals, computer sequence checking, computer matching of\ntransaction data with data in a master or suspense file, and checking of\nreports for transaction data.\n\n\n\n                                      24\n\x0cRecord counts and control totals.\n\n      In general, user-prepared totals established over source documents\nand data to be entered can be carried into and through processing. The\ncomputer can generate similar totals and track the data from one processing\nstage to the next and verify that the data was entered and processed, as it\nshould have been. For example, a file of valid transactions (i.e.;\ntransactions that pass data validation and editing) can contain a control\nrecord showing the record count and control totals for the file. As the file is\nprocessed through a job (or job step) the computer can calculate a record\ncount and control totals for the transactions processed. The computer\ncalculated amounts are compared with the amounts in the control record.\nAgreements in the amounts provide evidence that the processing was done\naccurately and completely. Disagreements indicate that a problem has\noccurred and needs to be investigated and rectified. On-line or real-time\nsystems, where transactions are not entered as a batch, can still utilize this\ntechnique by establishing record counts and control totals over transactions\nentered during a specific time period, such as daily.\n\nComputer sequence checking.\n\n       This control begins by providing each transaction with a unique\nsequential number. Some transactions originate on source documents with\npreassigned serial numbers. This number should be entered into the\ncomputer along with the other data on the transaction. The computer can\nidentify numbers missing from the sequence and provide a report of missing\nnumbers. The missing numbers should be investigated to determine\nwhether they are numbers for voided source documents, or are valid\ndocuments that may have been lost or misplaced.\n\n      For transactions not on source documents with preassigned serial\nnumbers, the computer can assign a unique sequential number as the data\nis entered. At a later point in processing, such as when transaction data\nupdates a master file, the computer can verify that all numbers are\naccounted for. Again, missing numbers are reported for investigation.\n\n       Sequence checking is also valuable in identifying duplicate\ntransactions. For example, two transactions with the same preassigned\nserial number for a source document would indicate that the transaction had\nbeen erroneously entered a second time. As another example, a file of\nsequential numbers for purchase orders could help prevent paying for the\npurchase more than once. After the purchased goods and vendor\xe2\x80\x99s bill are\n\n                                      25\n\x0creceived, a payment transaction with the purchase order number would be\nmatched with the file containing all purchase order numbers, and an\nindicator for the payment would be recorded on the file for that purchase.\nThe payment indicator would cause following payment transactions for the\nsame purchase order to be rejected and reported for investigation.\n\nComputer matching of transaction data.\n\n      This control involves matching transaction data with data in a master\nor suspense file. Unmatched items from both the transaction data and\nmaster or suspense file are reported for investigation. For example, a\npayroll system may be designed so that each employee\xe2\x80\x99s time and\nattendance sheet is matched to the employee\xe2\x80\x99s master pay record. Each\ntime sheet that does not match with a master pay record is reported to\ndetermine whether it represents a valid employee and the master pay file\nneeds to be updated. Each master pay record that does not receive a match\nis reported to determine whether a valid employee exists and a time sheet\nmust be found or created so that the employee will receive pay on time.\nAlso, master pay records with more than one time sheet are reported, which\nindicates a duplicate time sheet exists for one employee.\n\n      As another example, before initiating a payment, a vendor\xe2\x80\x99s invoice\ncould be matched with a file containing records detailing goods received.\nInvoices not matched could be reported to show goods not received, and no\ninvoices would be paid until a match occurred.\n\nChecking reports for transaction data.\n\n      This activity involves checking each individual transaction with a\ndetailed listing of items processed by the computer to verify that the\ntransaction submitted was indeed processed. While an effective method, it\nis time-consuming and costly. Therefore, it is normally used with low-\nvolume but high-value transactions, such as updating master files.\n\nReconciliations show the completeness of data processed at points\nin the processing cycle.\n\n      An application system is a collection or group of individual computer\nprograms that relate to a common function. As data is entered into and\nprocessed through these programs, reconciliations of record counts and\ncontrol totals at various points helps make certain that all the data was\nprocessed completely for the programs relative to the reconciliation. For\nexample, control over a batch (a collection) of source documents may entail\n\n                                    26\n\x0ca user to establish a record count and control total over the batch and\nrecord the amounts on a batch control sheet. The control information on\nthe batch control sheet would be entered into the computer along with the\ninformation on each source document. The computer would compute a\nsimilar record count and control total for the batch as the data is entered.\nFor the reconciliation, the computer would compare the computed amounts\nwith the entered amounts from the batch control sheet. Agreement in the\namounts indicates all data was completely entered. A disagreement may\nindicate some data is missing, an amount was entered incorrectly, or the\nbatch control information was calculated or entered incorrectly. Batches\nwith disagreements are commonly referred to as a \xe2\x80\x9cbatch-out-of-balance.\xe2\x80\x9d\nThese should not undergo further processing until the disagreements are\ninvestigated and resolved. The record counts and control totals for batches\nin agreement are usable for reconciliations during later processing, as\ndiscussed below.\n\n      For applications where transactions are entered individually as they\noccur, this concept is still of use, as a record count and control total could be\nestablished over transactions entered during a specific time period, such as\ndaily. Files should contain record count and control total information so that\nthe computer can verify processing completeness as it progresses.\nComputer tape files would contain this information in a \xe2\x80\x9ctrailer label\xe2\x80\x9d record\nthat exists at the end of all data records on the tape. A disk file would\ncontain this information in a control record. A program creating the file\ncalculates and records the control information on the file. As a subsequent\nprogram processes the file, the computer calculates similar information and\nreconciles what it calculated with what was recorded on the file. Agreement\nin the amounts indicates all data was completely processed. This control\ninformation is commonly referred to as \xe2\x80\x9crun-to-run control totals.\xe2\x80\x9d\n\n      As systems have become more integrated over the years, a file\nproduced by one application may be used in another application. It is\nimportant to reconcile control information between the sending and receiving\napplications.\n\n      Performing the comparison of control numbers is commonly referred to\nas balancing, and should be done automatically by the computer, although\nsome older systems may rely on manual balancing procedures. The control\nnumbers for the balancing at key points should be documented, such as\nbeing printed on a control totals balance report, and should be reviewed by\nthe data processing control group that monitors the completeness and\naccuracy of processing.\n\n\n                                       27\n\x0cReconciliations show the completeness of data processed for the\ntotal cycle.\n\n       Reconciliations should occur periodically that verify the completeness\nof data processed for a given cycle, such as daily, weekly, or relative to the\nprocessing cycle - for example, monthly for an accounts payable system. A\ncontrol register is an effective tool to use in this process. Such\nreconciliations monitor the completeness of transactions processed, master\nfiles updated, and outputs generated, such as cash disbursements.\n\n       To illustrate with updating a master file, control information for this file\nshould be recorded in the control register at the start of the cycle. Control\ninformation for the transactions entered that will update the master file\nshould be reconciled with the control information over both accepted and\nrejected transactions. Control information for the accepted transactions that\nupdate the master file should be entered in the control register and added to\nthe control information for the beginning master file. Control information for\nthe updated master file should then be reconciled to the control register,\nshould equal the sum of the beginning master file and accepted transactions.\nAnother example illustrates reconciliation over disbursements for an\naccounts payable system. A vendor master file may contain a data field to\nrecord month-to-date payments. A total of all the vendors\xe2\x80\x99 month-to-date\npayments in the master file should be reconciled with and equal the total for\nall the checks written during the month to those vendors.\n\nACCURACY CONTROLS\n\n      The recording of valid and accurate data into an application system is\nessential to provide for an effective system that produces reliable results.\nAssessing the controls for valid and accurate data involves determining the\nentity\xe2\x80\x99s success in achieving each of the critical elements listed below.\n\nCritical Elements.\n\n   \xe2\x80\xa2   Data entry design features contribute to data accuracy,\n\n   \xe2\x80\xa2   Data validation and editing are performed to identify erroneous data,\n\n   \xe2\x80\xa2   Erroneous data are captured, reported, investigated, and corrected,\n       and\n\n   \xe2\x80\xa2   Review of output reports helps maintain data accuracy and validity.\n\n\n                                        28\n\x0c      Well-designed data entry processes can contribute to the entry of\naccurate and valid data. On the other hand, inadequacies in this area can\ncontribute to data entry errors. The focus here includes source document\ndesign, preformatted computer terminal data entry screens, key verification,\nand the use of automated entry devices.\n\n\nSource documents are designed to minimize errors.\n\n       Special purpose forms should be used that help the preparer to initially\nrecord data correctly and in a uniform format. This also facilitates the entry\nof data at a later stage. For example, rather than just providing a blank\n(\xe2\x80\x9c_________\xe2\x80\x9c) for a social security number, a well-designed form would\ninclude the following to record the number: \xe2\x80\x9c - - .\xe2\x80\x9d For each type of\ntransaction, the source document should provide a unique code or identifier,\nwhich should be preprinted on the document for data entry if it supports\nonly one transaction type. The application computer programs use the\ntransaction type for selecting the processing to be performed on the\ntransaction. When several or more codes are options for identifying a data\nfield\xe2\x80\x99s purpose, such as a payroll withholding, the options should be\npreprinted on the source document. A short list of options could appear\nunder or near the data field, and a longer list could appear on the back of\nthe document.\n\nPreformatted computer terminal screens guide data entry.\n\n      Using preformatted computer terminal screens for data entry helps\nincrease data accuracy at the point of entry. The computer screen (and the\nassociated program code) prompts the terminal operator for data by field.\nProgrammed routines allow the data to be checked or edited as it is keyed.\nAfter the data has been entered and passes the programmed edits, the\ncomputer screen prompt moves to the next data field indicating to the\nterminal operator the next data to be entered.\n\nKey verification increases the accuracy of significant data fields.\n\n        For paper intensive source document environments found in large\ngovernment transaction operations, key verification is a common technique\nstill used to increase the accuracy of significant data fields. For this\ntechnique, after initial entry of transaction data, a separate individual reads\nthe same source document and keys data into a machine that checks the\nresults of keystrokes with what was originally keyed. Data that is keyed\ndifferently is reviewed to determine the correct data. As an example, the\n\n                                      29\n\x0cInternal Revenue Service (IRS) uses key verification to ensure that certain\ndata from tax returns have been entered correctly. This technique\xe2\x80\x99s\neffectiveness is reduced if the original data entry person is also the one\nperforming the key verification, or if the key verifier is located next to or in\nthe proximity of the original data entry person, thereby negating a\nseparation of duties in performing this function.\n\nAutomated entry devices increase data accuracy.\n\n      The use of automated entry devices (e.g., optical or magnetic ink\ncharacter readers) can reduce data error rates, as well as speed the entry\nprocess. The IRS\xe2\x80\x99s use of preprinted labels, showing the taxpayer\xe2\x80\x99s name,\naddress, and social security number is such an example. This information\ncan be entered without keying the data, which ensures a more accurate and\nfaster process.\n\n       A crucial control activity involves identifying erroneous data at the\npoint it enters the application system, or at some later point during the\nprocessing cycle. This is accomplished in a process that is commonly called\ndata validation and editing. Programmed validation and edit checks are key\nto this process, and are generally performed on transaction data entering\nthe system, as well as data prior to updating master files, and data resulting\nfrom processing.\n\nProgrammed validation and edit checks identify erroneous data.\n\n      Programmed validation and edit checks are, for the most part, the\nmost critical and comprehensive set of controls in assuring that the initial\nrecording of data into the system is accurate. These controls are built as\nearly as possible in the input process, and provide extensive coverage over\nas many data fields that a user feels a need to control. This approach is\nused extensively in both batch and on-line environments.\n\n      Programmed validation and edit checks can effectively start as the\ndata are being keyed in at a computer terminal using preformatted computer\nscreens. For example, an alphabetic character entered for a numeric field\ncan be rejected as it is keyed. Also, data involving quantities or values can\nbe checked to ensure they fall within reasonable predetermined limits, or\nwithin the range of a set of numbers. Further, key fields, such as a loan\naccount number, or parts number in an inventory system, could employ a\ncheck digit to help validate that the number is being entered correctly. The\ncheck digit is an additional number contained in the key field, which is\ndetermined by a formula from the other numbers of the key field. The\n\n                                       30\n\x0ccomputer recalculates the check digit using the formula with the numbers\nentered and compares the calculation with the check digit entered.\nAgreement between the check digit entered and the recalculated check digit\nprovides support that all the numbers were entered correctly with no\ntransposition errors.\n\n       Programmed validation and edit checks may also occur after data has\nentered the application. For example, transaction data may enter the\nprocessing cycle from another application and should be subjected to these\nchecks. This should occur before updating master files, and should be\nperformed early in the data flow to reduce the processing associated with\nincorrect data. Some of these later checks may focus on determining the\nvalidity of a transaction data field. For example, a benefit payment system\nmay compare the transaction\xe2\x80\x99s disability type code to a table of valid codes.\nOther checks may focus on determining the validity of the transaction itself,\nsuch as comparing vendor invoices with an approved vendor file, and with a\nfile on purchase orders and goods received.\n\n      These checks also help provide that data recorded in key fields on\nmaster files are accurate and valid. One check, known as relationship\nediting, compares data in a transaction record with data in a master record\nfor appropriateness and correctness before updating the master record. As\nan example, a personnel action to effect a promotion for an employee on a\nmaster pay file will first establish a match between the transaction record\nand pay record based on the employee\xe2\x80\x99s social security number. However,\nbefore posting the new grade level and salary to the pay record, the\ncomputer may ensure that the names in the transaction record and pay\nrecords agree, and that the old grade level in the personnel action is the\nsame grade level as the existing grade level in the pay record. Only after\nagreement with both items will the pay record be updated.\n\n        The total transaction should undergo data validation and editing, and\nall fields in error should be identified before the transaction is rejected from\nfurther processing.\n\nTests are made of critical calculations.\n\n      Data resulting from processing routines, such as critical calculations,\nshould also be tested to ensure the results are valid. For example, limits\nand reasonableness checks would help identify erroneous results before they\ncause some negative impact. Unusual items could be held and reported for\nmanagement review and approval. Through such means, disbursements\n\n\n                                       31\n\x0cexceeding a certain amount could be routed for a manager\xe2\x80\x99s review and\napproval prior to release of the disbursement.\n\n      Before the auditor can rely on the entity\xe2\x80\x99s data validation and editing\nchecks, discussed in this and the previous sections, to reduce the audit risk,\nthe auditor must determine the adequacy of the general controls over these\nchecks. To be effective, the general controls should protect the program\ncode and any related tables associated with the validation and edit routines\nfrom unauthorized changes.\n\nOverriding or bypassing data validation and editing is restricted.\n\n      Many systems allow data validation and edit routines to be bypassed,\nwhich could allow the system to accept and process erroneous data. Using\nthe bypass capability (sometimes referred to as an override) should be very\nlimited and closely controlled and monitored by supervisory personnel. For\nexample, each override should be automatically logged and reviewed by\nsupervisors for appropriateness and correctness.\n\n       Transactions detected with errors need to be controlled to ensure that\nthey are corrected and reentered in a timely manner. During data entry,\nparticularly with more modern systems, an error can be identified and\ncorrected at the data entry terminal. With errors identified during the data\nprocessing cycle, however, a break generally has been made from the data\nentry terminal. Therefore, errors identified cannot be communicated in a\nreal-time mode back to personnel entering the data for immediate\ncorrection. An automated error suspense file is an essential element to\ncontrolling these data errors, and the errors need to be effectively reported\nback to the user department for investigation and correction.\n\nRejected transactions are controlled with an automated error\nsuspense file.\n\nUsing an automated error suspense file should control rejected transactions.\nTransactions entered into this file should be annotated with:\n\n      \xe2\x80\xa2 codes indicating the type of data error,\n\n      \xe2\x80\xa2 date and time the transaction was processed as well as\n        the error identified, and\n\n      \xe2\x80\xa2 the identity of the user who originated the transaction.\n\n\n                                      32\n\x0c     Record counts and control totals should be developed automatically\nduring processing of erroneous transactions to the suspense file and used in\nreconciling the transactions successfully processed. A control group should\nbe responsible for controlling and monitoring the rejected transactions.\n\n       The suspense file should be purged of the related erroneous\ntransaction as the correction is made. Record counts and control totals for\nthe suspense file should be adjusted accordingly. Periodically, the suspense\nfile should be analyzed to determine the extent and type of transaction\nerrors being made, and the age of uncorrected transactions. This analysis\nmay indicate a need for a system change or some specific training to reduce\nfuture data errors.\n\n      General controls should protect the suspense file from unauthorized\naccess and modification, in order for the auditor to be able to rely on this\ncontrol technique to reduce audit risk.\n\nErroneous data are reported back to the user department for\ninvestigation and correction.\n\n       Systems that allow user groups to enter data at a computer terminal\noften allow data to be edited as it is entered, and generally allows immediate\ncorrection of errors as they are identified. Error messages should clearly\nindicate what the error is and what corrective action is necessary. Errors\nidentified at a later point in processing should be reported to the user\noriginating the transaction for correction.\n\n      Some systems may use error reports to communicate to the user\ndepartment the rejected transactions in need of correction. More modern\nsystems will provide user departments\xe2\x80\x99 access to a file containing erroneous\ntransactions. Using a computer terminal, users can initiate corrective\nactions. Again, error messages should clearly indicate what the error is and\nwhat corrective action is necessary. The user responsible for originating the\ntransaction should be responsible for correcting the error. All corrections\nshould be reviewed and approved by supervisors before being reentered into\nthe system, or released for processing if corrected from a computer\nterminal.\n\n      Output can be in several forms, including printed reports, data\naccessible on-line by users, and computer files that will be used in a later\nprocessing cycle, or by other programs in the application. Output should be\nreviewed and control information should be reconciled to determine whether\nerrors occurred during processing. Various reports are typically produced by\n\n                                      33\n\x0capplication systems that, if reviewed, help maintain the data\xe2\x80\x99s accuracy and\nvalidity. Production and distribution of these reports need to be controlled,\nand to be effective, they need to be reviewed by the user.\n\nControl output production and distribution.\n\n      Someone should be assigned responsibilities for seeing that all outputs\nare produced and distributed in accordance with the requirements and\ndesign of the application system. In larger organizations with mainframe\ncomputer environments, this responsibility is typically assigned as part of\nthe responsibilities of a data control group, which falls within the information\nsystems department. This group, or some alternative, should maintain a\nschedule by application that shows the output products produced, when they\nshould be completed, whom the recipients are, the copies needed, and when\nthey are to be distributed. The group should review output products for\ngeneral acceptability and reconcile control information to determine the\ncompleteness of processing.\n\n       Printed reports should contain proper identification, including a title\npage with the report name, time and date of production, and the processing\nperiod covered by the report. Reports should also have an \xe2\x80\x9cend-of-report\xe2\x80\x9d\nmessage to positively indicate the end of a report. A report may have pages\nmissing at the end of the report, which may go undetected without this type\nof message. Controls and procedures are needed to ensure the proper\ndistribution of output to authorized users. Without control over distribution,\nusers may not receive needed output in a timely manner, and unauthorized\npersons may gain access to output containing privacy or sensitive\ninformation. Each output should be logged, manually if not done\nautomatically, along with the recipients of the output, including outputs that\nare transmitted to a user\xe2\x80\x99s terminal device. For these transmissions, the\ncomputer system should automatically check the output message before\ndisplaying, writing, or printing to make sure the output has not reached the\nwrong terminal device. In the user department, outputs transmitted should\nbe summarized daily and printed for each terminal device, and reviewed by\nsupervisors.\n\n      Occasionally, errors may be identified in output products requiring\ncorrective action, including possibly rerunning application programs to\nproduce the correct product. A control log of output product errors should\nbe maintained, including the corrective actions taken. Output from reruns\nshould be subjected to the same quality review as the original output.\n\n\n\n                                      34\n\x0cReports showing the results of processing are reviewed by users.\n\n      The user department has ultimate responsibility for maintaining data\nquality, and should review output reports for data accuracy, validity, and\ncompleteness. Some typical reports that are commonly produced for review\nby users include the following:\n\n      \xe2\x80\xa2   An error report that shows rejected transactions, the cause(s) of\n          the rejections, and corrections needed.\n\n      \xe2\x80\xa2   A transaction report that lists important data fields of every valid\n          transaction in the processing cycle. Transactions that are internally\n          generated by the application (e.g., inventory orders as stocks reach\n          the reorder quantity) are included and listed separately.\n\n      \xe2\x80\xa2   A master record change report (also known as a \xe2\x80\x9cwas-is\xe2\x80\x9d report)\n          that shows the contents of every master record before and after\n          every master record change.\n\n      \xe2\x80\xa2   An exception report that lists items requiring review and approval.\n          These items may be valid, but exceed parameters established by\n          management, such as disbursements exceeding a dollar amount.\n\n      A control totals balance report lists the control fields and the totals\ncalculated by the computer to show the results of processing. If similar\nfigures were predetermined and entered with the data submitted for\nprocessing, the report will also identify agreements and variances.\n\nCONTROLS OVER INTEGRITY OF PROCESSING AND DATA FILES\n   Example of items to cover:\n\n\n          \xe2\x80\xa2   Procedures ensure that the current versions of production\n              programs and data files are used during processing.\n\n          \xe2\x80\xa2   Programs include routines to verify that the proper version of the\n              computer file is used during processing.\n\n          \xe2\x80\xa2   Programs include routines for checking internal file header labels\n              before processing.\n\n          \xe2\x80\xa2   The application protects against concurrent file updates.\n\n\n                                       35\n\x0c                                                             APPENDIX IV\n\n\n                    SENTRY\xe2\x80\x99S AUTHORIZED USERS LIST\n         (As indicated within the BOP\xe2\x80\x99s SENTRY Risk Assessment, December 2000)\n\nCriminal Division\n\nDepartment of Justice\n\nDrug Enforcement Administration (DEA) - El Paso Intelligence\n\nDrug Enforcement Administration (DEA) - National Drug Intelligence\n\nFederal Bureau of Investigation\n\nImmigration and Naturalization\n\nInterpol Headquarters\n\nJustice Management Division\n\nOffice of Pardon Attorney\n\nOffice of the Corrections Trustee\n\nOffice of the Inspector General\n\nParole Commission\n\nUnited States Army\n\nUnited States Attorneys\n\nUnited States Marshals Service\n\nUnited States Marshals Service Transportation\n\nUnited States Navy\n\nUnited States Probation Office\n\nUnited States Sentencing Commission\n\n\n\n\n                                        36\n\x0c                                                        APPENDIX V\n\n\n                        ABBREVIATIONS\n\nBOP          The Federal Bureau of Prisons\n\nCA           Computer Associates\n\nCCO          Community Corrections Office\n\nDBMS         Database Management System\n\nDepartment   The Department of Justice\n\nFISCAM       Federal Information System Controls Audit Manual\n\nGAO          Government Accounting Office\n\nGUM          General Use Manual\n\nIDMS         Integrated Data Management System\n\nIFRP         Inmate Financial Responsibility Program Module\n\nIRS          Internal Revenue Service\n\nJ&C          Judgment and Commitment Order\n\nJCN          Justice Consolidated Network\n\nJDC-D        Justice Data Center in Dallas, Texas\n\nJMD          Justice Management Division\n\nMAN          Metropolitan Area Network\n\nNCC          Network Control Center\n\nOIG          The Office of the Inspector General\n\nPSI          Pre-Sentence Investigation Report\n\nPLRA         The Prisoner Litigation Reform Act\n\nUSMS         United States Marshals Service\n\nVCCLEA       Violent Crime Control and Law Enforcement Act of 1994\n\n\n\n                                37\n\x0c                                                                 APPENDIX VI\n\n\n            DESCRIPTION OF SENTRY DATABASE MODULES\n\nThe Inmate Population Monitoring module - tracks inmate movement in\nevery BOP facility, or while an inmate is in transit, regardless of location or\ntime of day. It also provides immediate access to the current population of\nany institution, region, or community facility. The module encompasses\nadmission processing; admission or release status; custody, quarters, unit,\ncaseworker, and work assignments; inmate count monitoring; special inmate\nmonitoring; education, court, and hospital callouts; inmate facility\ndesignations; release and transfer processing; program treatment\nmonitoring; and social and education data reporting. A number of\npreformatted reports are available to assist institutions in managing day-to-\nday operations.\n\nSentence Monitoring module - calculates and tracks all aspects of an\ninmate\xe2\x80\x99s sentence. It ensures that inmates\xe2\x80\x99 release dates are accurate and\nthat sentence calculations comply with statutory requirements and the BOP\nregulations. As federal statutes regarding inmates\xe2\x80\x99 sentences have become\nincreasingly complex, the module must now track inmates\xe2\x80\x99 education and\ndisciplinary records, as well as participation in drug or boot camp programs,\nand include factors based on these records into the sentence. As lawsuits by\ninmates routinely challenge sentence calculations, the consistency and\naccuracy offered by the Sentence Monitoring module enables the BOP to\nsuccessfully defend itself.\n\nDesignations module - is the means by which all inmates are assigned to\nspecific facilities. Using criteria identified in the BOP\xe2\x80\x99s inmate classification\nsystem \xe2\x80\x94 severity of offense, history of violence, type of detainer, etc. \xe2\x80\x94\nand public safety factors where appropriate, the module calculates a total\nsecurity score and inmate security level, factors in specific inmate\nrequirements (e.g., drug abuse program, medical condition, judicial\nrecommendation), and displays a list of appropriate facilities for the Inmate\nDesignator to choose from, in order of distance from the inmate\xe2\x80\x99 s residence.\nIf any of these facilities houses other inmates that the inmate needs to be\nseparated from, SENTRY displays a warning. It records the Designator\xe2\x80\x99s\nchoice of facility, creates a log entry to advise the facility that the inmate\nwas designated there, and updates the running total of inmates on their way\nto that facility. This module also helps the BOP\xe2\x80\x99s Office of Capacity Planning\ndetermine security level requirements for future institutions.\n\n\n\n\n                                       38\n\x0cCentral Inmate Monitoring module (CIM) - identifies inmates who the\ncourt has determined need special evaluation (e.g. review of mental status).\nThe need to separate inmates who have threatened each other was the\ninitial reason for developing this module. It tracks inmates\xe2\x80\x99 "separatees"\nand allows the BOP staff to designate them to institutions where they will be\nsafe. If an inmate is admitted to a facility where separation from others is\nwarranted, the institution is notified and may take appropriate action.\nAccording to the BOP, it has not had an injured inmate as a result of the\nBOP\xe2\x80\x99s failure to separate as considered necessary.\n\nIn addition, the system records inmates\xe2\x80\x99 participation in disruptive groups\nand street gangs such as the Aryan Brotherhood (AB),20 the Black Guerrilla\nFamily (BGF),21 and the Latin Kings.22 Managing the distribution of these\ngangs throughout the BOP\xe2\x80\x99s facilities lessens the likelihood of gang-on-gang\nviolence.\n\nThe final function of CIM is the protection of Government witnesses. These\ninmates\xe2\x80\x99 identities and locations are shrouded from all SENTRY resources\nother than those in protective custody units and a limited number of\nmanagement users in Regional and Central offices. If an unauthorized user\nattempts to retrieve information about these inmates, no indication is given\nthat they even exist.\n\nAdministrative Remedy System module - reports and tracks the\nresponses of the BOP\xe2\x80\x99s inmates\xe2\x80\x99 complaints and the procedure for doing so.\nThis module replaced the labor-intensive process of disseminating a variety\nof documents to the inmates. Each Administrative Remedy is logged\nelectronically. An automated tracking capability helps track cases in process\nand monitor critical due dates.\n\n\n\n20\n     The letters "AB" represent Aryan Brotherhood, a prison gang that originated in 1967 in the California Department\n     of Corrections at San Quentin. Many members display white supremacist ideology, but they are first and\n     foremost a criminal gang involved in the methamphetamine trade. AB has also spawned other white gangs in\n     the prison system. Several common nicknames for AB members are Alice, Alice Baker, Tip & Brand, and the\n     Brand.\n\n21\n     The initials "BGF" (Black Guerilla Family) combined with cross sabers, shotguns, and black dragons taking over\n     prison towers provide the backdrop for this tattoo. Former Black Panther George L. Jackson started this gang at\n     San Quentin State Prison in California in 1966. The gang has a strong political ideology that promotes Black\n     revolution and the overthrow of the government.\n22\n     The largest Latino gang in Chicago, and perhaps in the United States, is the Latin King and Queen Nation. The\n     Latin Kings have their roots in the Puerto Rican experience in Chicago. Gentrification has pushed Chicago\'s\n     Puerto Rican community and their gangs from Harrison Street on the near west side to Lincoln Park and then to\n     Humboldt Park \xe2\x80\x94 which is now undergoing substantial gentrification. The Latin Kings are also a major force in\n     the barrios of New York. Black & Gold is a documentary film of the politicalization and repression of the Latin\n     Kings in New York City in the 1990s. Latin Kings have chapters all across the United States.\n\n\n                                                          39\n\x0cInmate Discipline module - tracks every report of a breach of institution\nrule filed against an inmate from beginning of the process to the end to\nensure compliance with policy. For example, the module ensures the\nappropriate regulations are imposed according to the seriousness of the act\ncommitted. This module is integrated into the inmate population monitoring\nmodule\xe2\x80\x99s generalized retrieval program to allow the addition of discipline\ninformation when searching for groups of inmates. It also interacts with\nmodules used by the Office of Research to provide statistics on inmate\nassaults against staff members and other inmates.\n\nInmate Financial Responsibility Program module (IFRP) - records,\nmanages, and monitors court-ordered financial obligations imposed on\ninmates. IFRP payments are deducted from institution earnings and applied\nto an inmate\xe2\x80\x99s financial obligations. These funds are automatically\ntransmitted to the appropriate organization for disbursement to the Crime\nVictims Fund and other recipients.\n\nState Billing module - tracks and reports amounts owed to different states\nfor an inmate serving a state sentence in a BOP facility. Per diem rates are\nentered into SENTRY in accordance to the length of time served in a BOP\nfacility. SENTRY accounts for the various rate computations and reports, to\neach jurisdiction, the inmate\xe2\x80\x99s name, length of time spent, per diem rate,\nand total dollar amount involved. Summary and management reports are\ndistributed indicating the time an inmate spends in any BOP facility in any\ngiven year.\n\nProperty Management System module - keeps track of the BOP\xe2\x80\x99s\naccountable property and automatically computes the depreciation of\ncapitalized property.\n\n\n\n\n                                    40\n\x0c                                                             APPENDIX VII\n\n                   APPLICATION CONTROL CRITERIA\n\n1.    The GAO\xe2\x80\x99s Federal Information System Controls Audit Manual.\n\n2.    Department of Justice Order 2640.2D, Information Technology\n      Security, Chapter 2, \xe2\x80\x9cSecurity Requirements.\xe2\x80\x9d\n\n3.    OMB Circular A-130, Appendix III, Section A 3.b.2.\n\n4.    National Institute of Standards and Technology, Special Publication\n      800-18.\n\n5.    National Institute of Standards and Technology, Federal Information\n      Processing Standards Publication 73, Section 3.1.1.\n\n6.    Office of the Inspector General Audit report number 03-13\n      \xe2\x80\x9cIndependent Evaluation Pursuant to the Government Information\n      Security Reform Act,\xe2\x80\x9d fiscal year 2002, The Justice Consolidated\n      Network.\n\n7.    The BOP\xe2\x80\x99s Standard Operating Procedures.\n\n8.    The BOP\xe2\x80\x99s SENTRY Contingency Plan.\n\n9.    The BOP\xe2\x80\x99s Information Technology Investment Report.\n\n10.   The BOP\xe2\x80\x99s Community Corrections Management Operations Procedures\n      (PS 5100.07).\n\n11.   The BOP\xe2\x80\x99s SENTRY \xe2\x80\x9cGeneral Use Manual.\xe2\x80\x9d\n\n12.   The BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide,\xe2\x80\x9d dated June 23, 2000.\n\n13.   The BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Plan,\xe2\x80\x9d dated February 25, 2000.\n\n14.   The BOP\xe2\x80\x99s Security Evaluation Report.\n\n15.   The BOP\xe2\x80\x99s Policy Standard 1237.12.\n\n\n\n\n                                     41\n\x0c     APPENDIX VIII\n\n\n\n\n42\n\x0c43\n\x0c44\n\x0c                                                               APPENDIX IX\n\n\n OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION ANALYSIS\n  AND SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT\n\n      The BOP\xe2\x80\x99s response to the audit (Appendix VIII) describes the actions\ntaken or plans for implementing our recommendations. This appendix\nsummarizes our response and the actions necessary to close the report.\n\nRecommendation Number:\n\n1. Resolved. The BOP agreed to enforce the BOP Policy Standards (PS)\n   5100.07, which states that all Community Corrections Offices (CCOs) are\n   to use the BP-337 for inputting initial inmate data as the sole source\n   document by July 1, 2003. To close this recommendation, the BOP\n   needs to provide the OIG with evidence that the CCOs have received\n   notification of the requirement.\n\n2. Unresolved. The BOP did not respond to the OIG recommendation to\n   redesign the BP-337 so that mandatory information needed for tracking\n   BOP inmates can be documented. The BOP stated the appropriate BOP\n   personnel were not present at the exit conference to address this issue.\n   Therefore, the BOP requested an informal meeting with the OIG to\n   address this issue prior to providing an official response. Please contact\n   the OIG to schedule this meeting.\n\n3. Unresolved. The BOP did not respond to the OIG recommendation to\n   modify the BP-337 to indicate which source document should be used to\n   complete each field within this form. The BOP stated the appropriate\n   BOP personnel were not present at the exit conference to address this\n   issue. Therefore, the BOP requested an informal meeting with the OIG\n   to address this issue prior to providing an official response. Please\n   contact the OIG to schedule this meeting.\n\n4. Resolved. The BOP agreed to update the BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System\n   Security Guide,\xe2\x80\x9d dated June 23, 2000, to require the routine generation\n   and review of exception reports by December 12, 2003. To close this\n   recommendation, the BOP needs to provide the OIG with a copy of the\n   updated and approved \xe2\x80\x9cSENTRY System Security Guide.\xe2\x80\x9d\n\n5. Resolved. The BOP agreed to provide the Information Security Officer\n   with the exception reports generated from the audit logs in the time\n   period specified by the BOP\xe2\x80\x99s \xe2\x80\x9cSENTRY System Security Guide\xe2\x80\x9d (SSG) by\n   October 1, 2003. To close this recommendation, the BOP needs to\n   provide the OIG with evidence of this occurring.\n\n                                     45\n\x0c6. Resolved. The BOP agreed to enforce the BOP\xe2\x80\x99s existing access control\n   policy by properly configuring SENTRY\xe2\x80\x99s workstation controls. Currently,\n   the BOP is in the process of porting SENTRY to a Web architecture. This\n   process is projected to be completed by FY 2005. To close this\n   recommendation, the BOP needs to provide the OIG with a copy of the\n   documented procedures and evidence of its full implementation.\n\n7. Resolved. The BOP agreed to update SENTRY\xe2\x80\x99s General Use Manual\n   (GUM) to reflect proper procedures for entering initial inmate records into\n   SENTRY by December 5, 2003. To close this recommendation, the BOP\n   needs to provide the OIG with a copy of the SENTRY\xe2\x80\x99s revised GUM and\n   documented procedures.\n\n\n\n\n                                     46\n\x0c'